Fake IPTV App Used for Full Device Takeover & Banking Fraud
Executive Summary
On 20 February 2026, mobile security researchers identified a new Android banking trojan called Massiv. It spreads by pretending to be a premium IPTV streaming application. Once installed, it does not function as a real TV app. Instead, it silently gains powerful permissions and allows attackers to remotely control the victim’s phone in real time.
Unlike older Android banking malware that only stole SMS codes or login credentials, Massiv enables full remote screen takeover using VNC-like capabilities. This means attackers can see everything happening on the screen and interact with it live while the victim is using banking apps.
The malware has primarily targeted users in Southern Europe so far, but the infection method makes it globally scalable.
What Happened
Security teams observed:
- Fake IPTV applications distributed via third-party APK websites
- Social media ads promoting “premium IPTV access”
- Phishing SMS messages linking to malicious downloads
- Telegram channels distributing modified IPTV APKs
Once installed, victims unknowingly granted permissions that allowed:
- Screen capture
- Remote input control
- Accessibility service abuse
- SMS interception
- Overlay injection
The attackers then remotely connected to infected devices and initiated fraudulent banking transactions while watching the screen live.
How the Attack Works
1. Initial Infection Vector
The primary entry points were:
- Sideloaded APK files (not from Google Play)
- Phishing SMS with IPTV subscription links
- Fake IPTV websites offering “lifetime access”
- Telegram/WhatsApp groups sharing IPTV packages
No zero-day Android OS vulnerability was required.
The attack relied heavily on social engineering.
2. Installation & Permission Abuse
Once the APK is installed:
- The app requests Accessibility Service access
- Requests permission to draw over other apps
- Requests screen capture via MediaProjection API
- Requests notification access
- Requests permission to ignore battery optimization
Users are tricked into enabling these permissions by fake setup instructions such as:
“Enable access for better streaming quality.”
In reality, these permissions give attackers full control.
3. Command & Control (C2) Registration
After installation:
- The malware collects device fingerprint data:
- IMEI
- Android ID
- Installed apps list
- Phone model
- OS version
- Country code
- IP address
- It sends this data to a remote C2 server
- Device is registered as “active”
Encrypted HTTPS communication is used, sometimes with self-signed certificates.
4. Payload Capabilities
Massiv includes multiple modules:
A. Remote Screen Streaming (VNC-Style)
- Uses Android MediaProjection API
- Streams screen content live to attacker
- Enables remote gestures and clicks
- Allows navigation inside banking apps
This is the most dangerous feature.
B. Accessibility Abuse
- Reads text from screen
- Detects when banking apps are opened
- Extracts login fields
- Auto-fills fraudulent transfer data
C. Overlay Injection
- Displays fake login screens over real banking apps
- Harvests credentials and card details
- Captures PINs and CVVs
D. SMS Interception
- Reads incoming OTP messages
- Suppresses SMS notifications
- Forwards verification codes to C2
E. Keylogging
- Monitors keystrokes through accessibility events
- Captures usernames, passwords, and PINs
F. Device Takeover Operation (DTO)
Instead of stealing credentials and leaving, attackers:
- Wait until victim logs into banking app
- Activate screen streaming
- Perform fraudulent transfer in real time
- Bypass MFA using intercepted SMS
- Clear transaction notifications
The victim often sees nothing unusual.
What Was Impacted
Primary Targets
- Banking apps
- Cryptocurrency wallets
- Payment platforms
- Credit card management apps
- Government identity apps
Regions Observed
- Spain
- Portugal
- France
- Greece
- Turkey
The infrastructure allows rapid expansion.
Was Any Vulnerability Exploited?
No Android OS vulnerability was exploited.
This attack depends on:
- User enabling Accessibility permissions
- User enabling screen capture
- User installing unknown APK
- Weak user awareness
It abuses legitimate Android features.
Anti-Analysis & Evasion Techniques
Massiv includes:
- Delayed activation (sleeps for hours)
- Emulator detection
- Checks for debugging tools
- Obfuscation using packed classes
- Dynamic C2 address retrieval
- SSL pinning
- Domain rotation
Some samples also detect:
- Known antivirus package names
- Sandbox environments
If detected, malware disables functionality.
Indicators of Compromise (IOCs)
Below are commonly observed indicators from analyzed samples.
File Information
APK Names:
- PremiumIPTV.apk
- IPTVUltraPro.apk
- SmartStreamTV.apk
- LiveTV2026.apk
Package Names:
- com.stream.ultratv
- com.premium.iptvpro
- com.android.media.viewer
- com.smart.livestream
Permissions Requested:
- android.permission.BIND_ACCESSIBILITY_SERVICE
- android.permission.SYSTEM_ALERT_WINDOW
- android.permission.RECEIVE_SMS
- android.permission.READ_SMS
- android.permission.FOREGROUND_SERVICE
- android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
Network Indicators
Common Behavior:
- HTTPS POST beaconing
- JSON device registration payload
- Periodic heartbeat every 30–60 seconds
Suspicious Patterns:
- /api/v1/register
- /device/activate
- /panel/gate
- /vnc/connect
Traffic Characteristics:
- Small encrypted packets every 30 seconds
- Increased traffic when banking app active
- Long persistent connections during fraud
Behavioral Indicators
- Screen recording active without visible reason
- Accessibility service enabled for unknown IPTV app
- App running constantly in background
- Banking app freezing momentarily
- Delayed push notifications
Complete Attack Chain Summary
- Victim searches for IPTV
- Downloads APK from unofficial site
- Installs and grants permissions
- Malware registers device to C2
- Waits for banking app activity
- Activates screen streaming
- Attacker performs live transaction
- OTP intercepted
- Money transferred
- Logs wiped
Detection & Threat Hunting Guidance
1. Mobile EDR Hunting Queries
Look for apps that:
- Request Accessibility + Screen Capture together
- Maintain persistent foreground service
- Generate MediaProjection API calls
- Open outbound connections every 30–60 seconds
2. Android Log Monitoring
Monitor for:
- MediaProjection started by non-media apps
- Accessibility events triggered by IPTV apps
- Overlay windows over banking apps
3. Network Detection (Proxy / Firewall)
Flag:
- Mobile devices making frequent encrypted outbound POST requests to unknown domains
- Long-lived HTTPS sessions after banking app launch
- TLS traffic to newly registered domains
4. Sample Sigma Rule
title: Suspicious Android Accessibility Abuse
logsource:
product: android
detection:
selection:
permissions:
- BIND_ACCESSIBILITY_SERVICE
- SYSTEM_ALERT_WINDOW
condition: selection
level: high
5. YARA Rule
rule Massiv_IPTV_Trojan
{
meta:
description = "Detects Massiv IPTV Trojan patterns"
strings:
$a = "MediaProjection"
$b = "AccessibilityService"
$c = "/device/activate"
$d = "vnc_connect"
condition:
2 of ($a,$b,$c,$d)
}
How to Protect Against It
For Users:
- Never sideload IPTV APKs
- Do not grant Accessibility to streaming apps
- Review screen capture permissions
- Install mobile security software
- Enable Google Play Protect
For Organizations:
- Deploy Mobile Threat Defense (MTD)
- Block sideloading via MDM
- Monitor abnormal screen recording APIs
- Restrict high-risk permissions
Why This Malware Is Dangerous
Older banking trojans relied on fake login pages.
Massiv:
- Takes full control
- Operates in real time
- Bypasses MFA
- Leaves minimal forensic evidence
- Makes fraud look like legitimate user activity
It represents a shift from credential theft to live remote financial hijacking.
